@rtrentjones/greenlight 0.3.0 → 0.3.1

package/assets/skills/provider-gemini/SKILL.md

@@ -29,9 +29,17 @@ POST https://generativelanguage.googleapis.com/v1beta/models/gemini-2.5-flash:ge
 → candidates[0].content.parts[0].text
 ```
 
-## Deploy — wrangler (workers target)
+## Deploy — emitted CI (push to main)
 
-Like the astro blog: cron + KV + secret + `custom_domain` in `wrangler.toml`; no Terraform.
+`greenlight add` resolves the Cloudflare **account id** into `wrangler.toml` (so wrangler skips the
+`/memberships` call a scoped token can't do) and emits **`.github/workflows/deploy-<name>.yml`**. On
+a push to main that touches `tools/<name>`, that workflow: **creates the KV namespace** (find-or-create
+in-CI — no manual step, the id stays a placeholder), deploys the Worker (cron + `custom_domain` from
+`wrangler.toml`), sets the `GEMINI_API_KEY` + `RUN_TOKEN` **Worker secrets** from GitHub secrets, seeds
+the first run, and verifies. So the only setup is **adding those two GitHub secrets**. (Local instead:
+`pnpm exec wrangler deploy --env prod`.)
+
+`wrangler.toml` carries the cron + KV binding + the per-env `custom_domain` route; no Terraform.
 
 ```toml
 [triggers]

package/dist/bin.js

@@ -15,8 +15,97 @@ import "./chunk-XWTOJHLV.js";
 import "./chunk-QFKE5JKC.js";
 
 // src/commands/add.ts
-import { cpSync as cpSync2, existsSync as existsSync5, mkdirSync as mkdirSync2, readFileSync as readFileSync3, renameSync, writeFileSync as writeFileSync2 } from "fs";
-import { join, resolve as resolve5 } from "path";
+import { cpSync as cpSync2, existsSync as existsSync6, mkdirSync as mkdirSync3, readFileSync as readFileSync4, renameSync, writeFileSync as writeFileSync3 } from "fs";
+import { join, resolve as resolve6 } from "path";
+
+// src/agent-deploy.ts
+function emitAgentDeployWorkflow(name, domain) {
+  return `name: deploy-${name}
+
+# Agent "${name}" \u2014 a cron-triggered Cloudflare Worker (Gemini-backed). Emitted by \`greenlight add\`.
+# On a push to main touching tools/${name}, or manually: deploys the Worker, sets its secrets from
+# GitHub secrets, seeds the first run, and verifies. Creds-guarded (skips if the secrets are absent).
+on:
+  push:
+    branches: [main]
+    paths: ['tools/${name}/**']
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: deploy-${name}
+  cancel-in-progress: false
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: jdx/mise-action@v2
+      - run: pnpm install --frozen-lockfile
+
+      - name: Check creds
+        id: creds
+        env:
+          CF: \${{ secrets.CLOUDFLARE_API_TOKEN }}
+          GK: \${{ secrets.GEMINI_API_KEY }}
+        run: |
+          if [ -n "$CF" ] && [ -n "$GK" ]; then echo "have=1" >> "$GITHUB_OUTPUT"; else echo "have=0" >> "$GITHUB_OUTPUT"; fi
+
+      - name: Deploy + Worker secrets + seed
+        if: steps.creds.outputs.have == '1'
+        env:
+          CLOUDFLARE_API_TOKEN: \${{ secrets.CLOUDFLARE_API_TOKEN }}
+          GEMINI_API_KEY: \${{ secrets.GEMINI_API_KEY }}
+          RUN_TOKEN: \${{ secrets.RUN_TOKEN }}
+        run: |
+          cd tools/${name}
+          # KV namespace as code: find-or-create the STATE namespace (idempotent), then inject its id
+          # into wrangler.toml for this deploy. The id is non-secret + derived, so the repo keeps the
+          # REPLACE_WITH_KV_NAMESPACE_ID placeholder \u2014 no manual create, no hardcoded id.
+          ID=$(pnpm exec wrangler kv namespace list 2>/dev/null | jq -r '.[] | select(.title | test("${name}.*STATE")) | .id' | head -1)
+          if [ -z "$ID" ] || [ "$ID" = "null" ]; then
+            pnpm exec wrangler kv namespace create STATE || true
+            ID=$(pnpm exec wrangler kv namespace list 2>/dev/null | jq -r '.[] | select(.title | test("${name}.*STATE")) | .id' | head -1)
+          fi
+          if [ -z "$ID" ] || [ "$ID" = "null" ]; then echo "::error::could not resolve the STATE KV namespace id (token needs Workers KV Storage:Edit?)"; exit 1; fi
+          sed -i "s/REPLACE_WITH_KV_NAMESPACE_ID/$ID/g" wrangler.toml
+          pnpm exec wrangler deploy --env prod
+          printf '%s' "$GEMINI_API_KEY" | pnpm exec wrangler secret put GEMINI_API_KEY --env prod
+          printf '%s' "$RUN_TOKEN" | pnpm exec wrangler secret put RUN_TOKEN --env prod
+          cd ../..
+          # Seed the first run (the cron is daily). Retry while the custom domain propagates.
+          for i in $(seq 1 8); do
+            if curl -fsS -XPOST "https://${name}.${domain}/run" -H "Authorization: Bearer $RUN_TOKEN" >/dev/null; then
+              echo "seeded"; break
+            fi
+            echo "seed attempt $i: not ready, retrying in 10s"; sleep 10
+          done
+
+      - name: Verify
+        if: steps.creds.outputs.have == '1'
+        run: pnpm exec greenlight verify ${name} --env prod
+
+      - name: Skip notice
+        if: steps.creds.outputs.have != '1'
+        run: echo "Missing CLOUDFLARE_API_TOKEN or GEMINI_API_KEY \u2014 ${name} deploy skipped."
+`;
+}
+async function resolveCloudflareAccountId(domain, token) {
+  try {
+    const res = await fetch(
+      `https://api.cloudflare.com/client/v4/zones?name=${encodeURIComponent(domain)}`,
+      { headers: { Authorization: `Bearer ${token}` } }
+    );
+    if (!res.ok) return null;
+    const data = await res.json();
+    return data.result?.[0]?.account?.id ?? null;
+  } catch {
+    return null;
+  }
+}
 
 // src/asset-paths.ts
 import { existsSync } from "fs";
@@ -501,7 +590,7 @@ function tokensForTool(tool) {
 }
 
 // src/version.ts
-var MODULE_REF = "v0.3.0";
+var MODULE_REF = "v0.3.1";
 var MODULE_SOURCE_BASE = "git::https://github.com/RTrentJones/greenlight.git//infra/modules";
 function moduleSource(module, ref = MODULE_REF) {
   return `${MODULE_SOURCE_BASE}/${module}?ref=${ref}`;
@@ -826,103 +915,15 @@ function providersForTool(tool) {
   return out;
 }
 
-// src/commands/agent.ts
-import { cpSync, existsSync as existsSync3, mkdirSync, readFileSync, writeFileSync } from "fs";
-import { resolve as resolve3 } from "path";
-
-// src/agent-kit.ts
-function recommendedMcp(tool) {
-  return mcpForTool(tool);
-}
-function mergeMcpServers(existing, add) {
-  const out = { mcpServers: { ...existing?.mcpServers ?? {} } };
-  for (const [name, val] of Object.entries(add)) {
-    if (out.mcpServers[name]) continue;
-    out.mcpServers[name] = typeof val === "string" ? { type: "http", url: val } : val;
-  }
-  return out;
-}
-
-// src/commands/agent.ts
-var CLAUDE_BLOCK = `## Greenlight loop (deploy \u2192 verify \u2192 promote)
-
-This repo uses Greenlight. Deliver every change through the ONE model (same shape for web + MCP
-tools \u2014 the deploy-verify-promote skill has the lane\xD7target matrix):
-branch \u2192 change \u2192 \`greenlight preview <name>\` (local gate) \u2192 add it to the tool's verify.config \u2192
-push (CI gates on the tool's own tests) \u2192 deploy \u2192 \`greenlight verify <name> --env prod\`.
-Web tools also get beta + \`greenlight promote\`; oci is direct-to-prod (the local gate is the
-pre-prod safety). \`greenlight status <name>\` shows the run chain; \`greenlight doctor\` flags drift.
-
-Agentic kit:
-- Skill: \`.claude/skills/deploy-verify-promote/SKILL.md\` (the one model + the matrix).
-- MCP servers: \`.mcp.json\` recommends the relevant providers \u2014 run \`/mcp\` to authenticate.
-    Vercel is OAuth; Supabase needs \`SUPABASE_ACCESS_TOKEN\` (+ \`SUPABASE_PROJECT_REF\`) in your env.
-- Best-practice skills (one-time, user scope):
-    \`claude plugin marketplace add cloudflare/skills && claude plugin install cloudflare@cloudflare\`
-`;
-function materializeAgentKit(dir, tool) {
-  const src = skillAssetDir();
-  if (!existsSync3(src)) throw new Error(`skill asset not found at ${src}`);
-  const dest = resolve3(dir, ".claude/skills/deploy-verify-promote");
-  mkdirSync(dest, { recursive: true });
-  cpSync(src, dest, { recursive: true });
-  console.log("\u2714 .claude/skills/deploy-verify-promote/SKILL.md");
-  for (const pack of packsForTool(tool)) {
-    if (!pack.skill) continue;
-    const skillSrc = skillAssetDir(pack.skill);
-    if (!existsSync3(skillSrc)) continue;
-    const skillDest = resolve3(dir, ".claude/skills", pack.skill);
-    mkdirSync(skillDest, { recursive: true });
-    cpSync(skillSrc, skillDest, { recursive: true });
-    console.log(`\u2714 .claude/skills/${pack.skill}/SKILL.md`);
-  }
-  const mcpPath = resolve3(dir, ".mcp.json");
-  const existingMcp = existsSync3(mcpPath) ? JSON.parse(readFileSync(mcpPath, "utf8")) : null;
-  const servers = recommendedMcp(tool);
-  writeFileSync(mcpPath, `${JSON.stringify(mergeMcpServers(existingMcp, servers), null, 2)}
-`);
-  console.log(`\u2714 .mcp.json (${Object.keys(servers).length} recommended MCP server(s))`);
-  const claudePath = resolve3(dir, "CLAUDE.md");
-  const marker = "Greenlight loop (deploy \u2192 verify \u2192 promote)";
-  const existing = existsSync3(claudePath) ? readFileSync(claudePath, "utf8") : "";
-  if (existing.includes(marker)) {
-    console.log("\xB7 CLAUDE.md already has the loop block");
-  } else {
-    writeFileSync(claudePath, existing ? `${existing.trimEnd()}
-
-${CLAUDE_BLOCK}` : CLAUDE_BLOCK);
-    console.log(`\u2714 CLAUDE.md (${existing ? "appended" : "created"})`);
-  }
-}
-async function agentCommand(args) {
-  if (args[0] !== "sync") {
-    console.log(
-      "usage: greenlight agent sync [<name>]\n  (no name)  write the generic loop kit into THIS repo (the fallback)\n  <name>     load the manifest and sync that tool's kit into its dir, with the\n             target-specific provider skills (oci/vercel/supabase), not just the always-on ones"
-    );
-    process.exit(args[0] ? 1 : 0);
-  }
-  const name = args[1] && !args[1].startsWith("-") ? args[1] : void 0;
-  if (name) {
-    const { config } = await loadManifest();
-    const entry = resolveEntry(config, name);
-    const dir = resolve3(process.cwd(), entry.dir ?? ".");
-    materializeAgentKit(dir, { lane: entry.lane, target: entry.target, data: entry.data });
-    console.log(
-      `
-Synced the kit for "${name}" \u2192 ${entry.dir ?? "."} (lane=${entry.lane}, target=${entry.target}, data=${entry.data}).`
-    );
-    return;
-  }
-  materializeAgentKit(process.cwd());
-  console.log(
-    "\nNote: the Greenlight Claude Code plugin (user scope) is the preferred path; this sync is the fallback.\nRun `/mcp` to authenticate the MCP servers."
-  );
-}
+// src/tokens.ts
+import { existsSync as existsSync4, mkdirSync, readFileSync as readFileSync2, writeFileSync } from "fs";
+import { resolve as resolve4 } from "path";
+import { createInterface as createInterface2 } from "readline/promises";
 
 // src/commands/secrets.ts
 import { execFileSync } from "child_process";
-import { existsSync as existsSync4, readFileSync as readFileSync2 } from "fs";
-import { resolve as resolve4 } from "path";
+import { existsSync as existsSync3, readFileSync } from "fs";
+import { resolve as resolve3 } from "path";
 import { createInterface } from "readline";
 function parseSecretsEnv(text) {
   const out = [];
@@ -948,7 +949,7 @@ function parseOciConfig(text) {
   return out;
 }
 function ociPrefill(configPath, keyPath) {
-  const cfg = parseOciConfig(readFileSync2(configPath, "utf8"));
+  const cfg = parseOciConfig(readFileSync(configPath, "utf8"));
   const map = /* @__PURE__ */ new Map();
   const set = (k, v) => {
     if (v) map.set(k, v);
@@ -958,8 +959,8 @@ function ociPrefill(configPath, keyPath) {
   set("TF_VAR_OCI_TENANCY_OCID", cfg.tenancy);
   set("TF_VAR_OCI_REGION", cfg.region);
   const pem = keyPath ?? cfg.key_file;
-  if (pem && existsSync4(pem)) {
-    map.set("TF_VAR_OCI_PRIVATE_KEY", readFileSync2(pem, "utf8"));
+  if (pem && existsSync3(pem)) {
+    map.set("TF_VAR_OCI_PRIVATE_KEY", readFileSync(pem, "utf8"));
   } else if (pem) {
     console.log(`   ! PEM not found at ${pem} \u2014 set TF_VAR_OCI_PRIVATE_KEY manually (--oci-key)`);
   }
@@ -993,11 +994,11 @@ function syncSecrets(opts) {
       "could not determine the repo \u2014 pass --repo owner/repo (no github.com origin remote)"
     );
   }
-  const path = resolve4(opts.cwd, ".greenlight/secrets.env");
-  if (!existsSync4(path)) {
+  const path = resolve3(opts.cwd, ".greenlight/secrets.env");
+  if (!existsSync3(path)) {
     throw new Error("no .greenlight/secrets.env \u2014 run `greenlight init` with tokens first");
   }
-  const entries = parseSecretsEnv(readFileSync2(path, "utf8"));
+  const entries = parseSecretsEnv(readFileSync(path, "utf8"));
   const target = opts.env ? `env "${opts.env}"` : "repo";
   for (const { key, value } of entries) {
     const ghArgs = ["secret", "set", key, "--repo", repo];
@@ -1138,7 +1139,7 @@ async function secretsCommand(args) {
     if (!repo) throw new Error("could not determine the repo \u2014 pass --repo owner/repo");
     const ociConfig2 = flag(args, "--oci-config");
     const ociKey = flag(args, "--oci-key");
-    const prefill = ociConfig2 ? ociPrefill(resolve4(process.cwd(), ociConfig2), ociKey && resolve4(process.cwd(), ociKey)) : void 0;
+    const prefill = ociConfig2 ? ociPrefill(resolve3(process.cwd(), ociConfig2), ociKey && resolve3(process.cwd(), ociKey)) : void 0;
     await gatherSecrets(name, repo, flag(args, "--env"), prefill);
     return;
   }
@@ -1163,6 +1164,177 @@ ${count} secret(s) synced. (Prefer GitHub OIDC over long-lived tokens where supp
   );
 }
 
+// src/tokens.ts
+var SECRETS_DIR = ".greenlight";
+var SECRETS_FILE = "secrets.env";
+function presentEnv(cwd) {
+  const out = {};
+  const p = resolve4(cwd, SECRETS_DIR, SECRETS_FILE);
+  if (existsSync4(p)) {
+    for (const { key, value } of parseSecretsEnv(readFileSync2(p, "utf8"))) out[key] = value;
+  }
+  for (const [k, v] of Object.entries(process.env)) {
+    if (v !== void 0 && !(k in out)) out[k] = v;
+  }
+  return out;
+}
+function upsertSecret(cwd, key, value) {
+  const dir = resolve4(cwd, SECRETS_DIR);
+  mkdirSync(dir, { recursive: true });
+  const p = resolve4(dir, SECRETS_FILE);
+  const lines = existsSync4(p) ? readFileSync2(p, "utf8").split("\n") : [];
+  const idx = lines.findIndex((l) => l.startsWith(`${key}=`));
+  if (idx >= 0) lines[idx] = `${key}=${value}`;
+  else {
+    while (lines.length && (lines[lines.length - 1] ?? "").trim() === "") lines.pop();
+    lines.push(`${key}=${value}`);
+  }
+  writeFileSync(p, `${lines.join("\n").replace(/\n*$/, "")}
+`, { mode: 384 });
+}
+async function ensureTokensForTool(cwd, tool, opts = {}) {
+  const doVerify = opts.verify !== false;
+  const interactive = Boolean(process.stdin.isTTY);
+  const env = presentEnv(cwd);
+  const results = [];
+  const rl = interactive ? createInterface2({ input: process.stdin, output: process.stdout }) : null;
+  try {
+    for (const spec of tokensForTool(tool)) {
+      let value = env[spec.envVar];
+      if (value) {
+        results.push({ envVar: spec.envVar, outcome: "present" });
+      } else if (rl) {
+        console.log(`
+${spec.envVar} \u2014 ${spec.label}`);
+        if (spec.scopes?.length) console.log(`  scopes: ${spec.scopes.join(", ")}`);
+        const entered = (await rl.question(`  paste value${spec.optional ? " (optional, Enter to skip)" : ""}: `)).trim();
+        if (!entered) {
+          results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
+          continue;
+        }
+        upsertSecret(cwd, spec.envVar, entered);
+        env[spec.envVar] = entered;
+        value = entered;
+        results.push({ envVar: spec.envVar, outcome: "entered" });
+      } else {
+        results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
+        continue;
+      }
+      if (value && doVerify && spec.verify) {
+        let check;
+        try {
+          check = await spec.verify(value, env);
+        } catch (e) {
+          check = { ok: false, detail: e instanceof Error ? e.message : String(e) };
+        }
+        const last = results[results.length - 1];
+        if (last) last.verify = check;
+        if (!check.ok && !spec.optional) {
+          throw new Error(
+            `${spec.envVar} failed verification${check.detail ? ` (${check.detail})` : ""} \u2014 check the token's scopes (${spec.label}).`
+          );
+        }
+      }
+    }
+  } finally {
+    rl?.close();
+  }
+  return results;
+}
+
+// src/commands/agent.ts
+import { cpSync, existsSync as existsSync5, mkdirSync as mkdirSync2, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
+import { resolve as resolve5 } from "path";
+
+// src/agent-kit.ts
+function recommendedMcp(tool) {
+  return mcpForTool(tool);
+}
+function mergeMcpServers(existing, add) {
+  const out = { mcpServers: { ...existing?.mcpServers ?? {} } };
+  for (const [name, val] of Object.entries(add)) {
+    if (out.mcpServers[name]) continue;
+    out.mcpServers[name] = typeof val === "string" ? { type: "http", url: val } : val;
+  }
+  return out;
+}
+
+// src/commands/agent.ts
+var CLAUDE_BLOCK = `## Greenlight loop (deploy \u2192 verify \u2192 promote)
+
+This repo uses Greenlight. Deliver every change through the ONE model (same shape for web + MCP
+tools \u2014 the deploy-verify-promote skill has the lane\xD7target matrix):
+branch \u2192 change \u2192 \`greenlight preview <name>\` (local gate) \u2192 add it to the tool's verify.config \u2192
+push (CI gates on the tool's own tests) \u2192 deploy \u2192 \`greenlight verify <name> --env prod\`.
+Web tools also get beta + \`greenlight promote\`; oci is direct-to-prod (the local gate is the
+pre-prod safety). \`greenlight status <name>\` shows the run chain; \`greenlight doctor\` flags drift.
+
+Agentic kit:
+- Skill: \`.claude/skills/deploy-verify-promote/SKILL.md\` (the one model + the matrix).
+- MCP servers: \`.mcp.json\` recommends the relevant providers \u2014 run \`/mcp\` to authenticate.
+    Vercel is OAuth; Supabase needs \`SUPABASE_ACCESS_TOKEN\` (+ \`SUPABASE_PROJECT_REF\`) in your env.
+- Best-practice skills (one-time, user scope):
+    \`claude plugin marketplace add cloudflare/skills && claude plugin install cloudflare@cloudflare\`
+`;
+function materializeAgentKit(dir, tool) {
+  const src = skillAssetDir();
+  if (!existsSync5(src)) throw new Error(`skill asset not found at ${src}`);
+  const dest = resolve5(dir, ".claude/skills/deploy-verify-promote");
+  mkdirSync2(dest, { recursive: true });
+  cpSync(src, dest, { recursive: true });
+  console.log("\u2714 .claude/skills/deploy-verify-promote/SKILL.md");
+  for (const pack of packsForTool(tool)) {
+    if (!pack.skill) continue;
+    const skillSrc = skillAssetDir(pack.skill);
+    if (!existsSync5(skillSrc)) continue;
+    const skillDest = resolve5(dir, ".claude/skills", pack.skill);
+    mkdirSync2(skillDest, { recursive: true });
+    cpSync(skillSrc, skillDest, { recursive: true });
+    console.log(`\u2714 .claude/skills/${pack.skill}/SKILL.md`);
+  }
+  const mcpPath = resolve5(dir, ".mcp.json");
+  const existingMcp = existsSync5(mcpPath) ? JSON.parse(readFileSync3(mcpPath, "utf8")) : null;
+  const servers = recommendedMcp(tool);
+  writeFileSync2(mcpPath, `${JSON.stringify(mergeMcpServers(existingMcp, servers), null, 2)}
+`);
+  console.log(`\u2714 .mcp.json (${Object.keys(servers).length} recommended MCP server(s))`);
+  const claudePath = resolve5(dir, "CLAUDE.md");
+  const marker = "Greenlight loop (deploy \u2192 verify \u2192 promote)";
+  const existing = existsSync5(claudePath) ? readFileSync3(claudePath, "utf8") : "";
+  if (existing.includes(marker)) {
+    console.log("\xB7 CLAUDE.md already has the loop block");
+  } else {
+    writeFileSync2(claudePath, existing ? `${existing.trimEnd()}
+
+${CLAUDE_BLOCK}` : CLAUDE_BLOCK);
+    console.log(`\u2714 CLAUDE.md (${existing ? "appended" : "created"})`);
+  }
+}
+async function agentCommand(args) {
+  if (args[0] !== "sync") {
+    console.log(
+      "usage: greenlight agent sync [<name>]\n  (no name)  write the generic loop kit into THIS repo (the fallback)\n  <name>     load the manifest and sync that tool's kit into its dir, with the\n             target-specific provider skills (oci/vercel/supabase), not just the always-on ones"
+    );
+    process.exit(args[0] ? 1 : 0);
+  }
+  const name = args[1] && !args[1].startsWith("-") ? args[1] : void 0;
+  if (name) {
+    const { config } = await loadManifest();
+    const entry = resolveEntry(config, name);
+    const dir = resolve5(process.cwd(), entry.dir ?? ".");
+    materializeAgentKit(dir, { lane: entry.lane, target: entry.target, data: entry.data });
+    console.log(
+      `
+Synced the kit for "${name}" \u2192 ${entry.dir ?? "."} (lane=${entry.lane}, target=${entry.target}, data=${entry.data}).`
+    );
+    return;
+  }
+  materializeAgentKit(process.cwd());
+  console.log(
+    "\nNote: the Greenlight Claude Code plugin (user scope) is the preferred path; this sync is the fallback.\nRun `/mcp` to authenticate the MCP servers."
+  );
+}
+
 // src/commands/add.ts
 function flag2(args, name) {
   const i = args.indexOf(name);
@@ -1174,25 +1346,25 @@ function templateDir(lane, target) {
 }
 function registerWorkspaceMember(cwd, member) {
   const wsPath = join(cwd, "pnpm-workspace.yaml");
-  if (!existsSync5(wsPath)) {
-    writeFileSync2(wsPath, `packages:
+  if (!existsSync6(wsPath)) {
+    writeFileSync3(wsPath, `packages:
   - "${member}"
 `);
     console.log(`\u2714 created pnpm-workspace.yaml (member ${member})`);
     return;
   }
-  const text = readFileSync3(wsPath, "utf8");
+  const text = readFileSync4(wsPath, "utf8");
   if (text.includes(member) || /^\s*-\s*["']?tools\/\*/m.test(text)) return;
   const lines = text.split("\n");
   const pkgIdx = lines.findIndex((l) => /^packages\s*:/.test(l));
   if (pkgIdx === -1) {
-    writeFileSync2(wsPath, `${text.replace(/\s*$/, "")}
+    writeFileSync3(wsPath, `${text.replace(/\s*$/, "")}
 packages:
   - "${member}"
 `);
   } else {
     lines.splice(pkgIdx + 1, 0, `  - "${member}"`);
-    writeFileSync2(wsPath, lines.join("\n"));
+    writeFileSync3(wsPath, lines.join("\n"));
   }
   console.log(`\u2714 registered ${member} in pnpm-workspace.yaml`);
 }
@@ -1226,48 +1398,60 @@ async function addCommand(args) {
   const data = entry?.data ?? "none";
   const envs = entry?.envs ?? ["beta", "prod"];
   const toolInfo = { lane, target, data };
-  const dest = resolve5(process.cwd(), "tools", name);
-  if (existsSync5(dest)) throw new Error(`tools/${name} already exists`);
+  const dest = resolve6(process.cwd(), "tools", name);
+  if (existsSync6(dest)) throw new Error(`tools/${name} already exists`);
   const src = templateDir(lane, target);
-  if (existsSync5(src)) {
+  if (existsSync6(src)) {
     cpSync2(src, dest, { recursive: true });
     const pkgPath = join(dest, "package.json");
-    if (existsSync5(pkgPath)) {
-      const pkg = JSON.parse(readFileSync3(pkgPath, "utf8"));
+    if (existsSync6(pkgPath)) {
+      const pkg = JSON.parse(readFileSync4(pkgPath, "utf8"));
       pkg.name = name;
-      writeFileSync2(pkgPath, `${JSON.stringify(pkg, null, 2)}
+      writeFileSync3(pkgPath, `${JSON.stringify(pkg, null, 2)}
 `);
     }
     const shippedGitignore = join(dest, "gitignore");
-    if (existsSync5(shippedGitignore)) renameSync(shippedGitignore, join(dest, ".gitignore"));
+    if (existsSync6(shippedGitignore)) renameSync(shippedGitignore, join(dest, ".gitignore"));
     const wranglerPath = join(dest, "wrangler.toml");
-    if (existsSync5(wranglerPath)) {
-      const wt = readFileSync3(wranglerPath, "utf8").replaceAll("agent-tool", name).replaceAll("example.dev", config.domain);
-      writeFileSync2(wranglerPath, wt);
+    if (existsSync6(wranglerPath)) {
+      let wt = readFileSync4(wranglerPath, "utf8").replaceAll("agent-tool", name).replaceAll("example.dev", config.domain);
+      if (wt.includes("REPLACE_WITH_CLOUDFLARE_ACCOUNT_ID")) {
+        const token = presentEnv(process.cwd()).CLOUDFLARE_API_TOKEN;
+        const acct = token ? await resolveCloudflareAccountId(config.domain, token) : null;
+        if (acct) {
+          wt = wt.replaceAll("REPLACE_WITH_CLOUDFLARE_ACCOUNT_ID", acct);
+          console.log("\u2714 resolved the Cloudflare account id into wrangler.toml");
+        } else {
+          console.log(
+            "\xB7 could not resolve the Cloudflare account id \u2014 set account_id in wrangler.toml"
+          );
+        }
+      }
+      writeFileSync3(wranglerPath, wt);
     }
     console.log(`\u2714 copied ${src} \u2192 tools/${name}`);
-    if (existsSync5(pkgPath)) registerWorkspaceMember(process.cwd(), `tools/${name}`);
+    if (existsSync6(pkgPath)) registerWorkspaceMember(process.cwd(), `tools/${name}`);
   } else {
     console.log(`! no template at ${src} \u2014 manifest entry added without scaffolding`);
   }
-  writeFileSync2(path, serializeConfig(next));
+  writeFileSync3(path, serializeConfig(next));
   console.log(`\u2714 added "${name}" (${lane}/${target}) to the manifest`);
   const cwd = process.cwd();
   const providers = providersForTool(toolInfo);
-  const infraDir = resolve5(cwd, "infra");
+  const infraDir = resolve6(cwd, "infra");
   const mainTf = join(infraDir, "main.tf");
-  if (!existsSync5(mainTf)) {
-    mkdirSync2(infraDir, { recursive: true });
-    writeFileSync2(mainTf, emitWrapperMainTf({ domain: config.domain, providers }));
+  if (!existsSync6(mainTf)) {
+    mkdirSync3(infraDir, { recursive: true });
+    writeFileSync3(mainTf, emitWrapperMainTf({ domain: config.domain, providers }));
     console.log("\u2714 scaffolded infra/main.tf (providers + HCP backend placeholder)");
   } else if (providers.some((p) => p !== "cloudflare" && p !== "github")) {
     console.log(`\xB7 infra/main.tf exists \u2014 ensure it declares provider(s): ${providers.join(", ")}`);
   }
   const toolTf = join(infraDir, `${name}.tf`);
-  if (existsSync5(toolTf)) {
+  if (existsSync6(toolTf)) {
     console.log(`\xB7 infra/${name}.tf exists \u2014 left as-is`);
   } else {
-    writeFileSync2(
+    writeFileSync3(
       toolTf,
       emitToolTf({
         name,
@@ -1283,6 +1467,17 @@ async function addCommand(args) {
     );
     console.log(`\u2714 wrote infra/${name}.tf (modules: ${providers.join(", ")})`);
   }
+  if (lane === "agent") {
+    const wfDir = resolve6(cwd, ".github/workflows");
+    const wfPath = join(wfDir, `deploy-${name}.yml`);
+    if (existsSync6(wfPath)) {
+      console.log(`\xB7 .github/workflows/deploy-${name}.yml exists \u2014 left as-is`);
+    } else {
+      mkdirSync3(wfDir, { recursive: true });
+      writeFileSync3(wfPath, emitAgentDeployWorkflow(name, config.domain));
+      console.log(`\u2714 wrote .github/workflows/deploy-${name}.yml`);
+    }
+  }
   materializeAgentKit(cwd, toolInfo);
   const repo = flag2(args, "--repo") ?? detectRepo(cwd) ?? "";
   const gather = !args.includes("--no-tokens") && process.stdin.isTTY && repo !== "";
@@ -1305,8 +1500,8 @@ Next:${gather ? "" : `
 
 // src/commands/adopt.ts
 import { execFileSync as execFileSync2 } from "child_process";
-import { cpSync as cpSync3, existsSync as existsSync6, mkdirSync as mkdirSync3, readFileSync as readFileSync4, readdirSync, writeFileSync as writeFileSync3 } from "fs";
-import { join as join2, resolve as resolve6 } from "path";
+import { cpSync as cpSync3, existsSync as existsSync7, mkdirSync as mkdirSync4, readFileSync as readFileSync5, readdirSync, writeFileSync as writeFileSync4 } from "fs";
+import { join as join2, resolve as resolve7 } from "path";
 var REF = MODULE_REF;
 function flag3(args, name) {
   const i = args.indexOf(name);
@@ -1322,7 +1517,7 @@ function mergePackageJson(existing, repoName, vendor) {
 }
 function vendorDeps(vendorDir) {
   const out = {};
-  if (!existsSync6(vendorDir)) return out;
+  if (!existsSync7(vendorDir)) return out;
   for (const f of readdirSync(vendorDir)) {
     if (!f.endsWith(".tgz")) continue;
     const base = f.replace(/-\d+\.\d+\.\d+(-[\w.]+)?\.tgz$/, "");
@@ -1777,12 +1972,12 @@ export default [api, ...agentWeb];
 `;
 }
 function writeIfAbsent(path, contents, label) {
-  if (existsSync6(path)) {
+  if (existsSync7(path)) {
     console.log(`\xB7 ${label} exists \u2014 left as-is`);
     return;
   }
-  mkdirSync3(resolve6(path, ".."), { recursive: true });
-  writeFileSync3(path, contents);
+  mkdirSync4(resolve7(path, ".."), { recursive: true });
+  writeFileSync4(path, contents);
   console.log(`\u2714 ${label}`);
 }
 async function adoptCommand(args) {
@@ -1818,10 +2013,10 @@ async function adoptWrapper(ctx) {
   const { name, repoArg, lane, target, data, auth, envs, domain, reg, regPath } = ctx;
   const cwd = process.cwd();
   const toolRel = `tools/${name}`;
-  const dest = resolve6(cwd, toolRel);
+  const dest = resolve7(cwd, toolRel);
   console.log(`adopting "${name}" (${lane}/${target}) as the submodule ${toolRel}
 `);
-  if (!existsSync6(dest)) {
+  if (!existsSync7(dest)) {
     try {
       execFileSync2("git", ["submodule", "add", repoArg, toolRel], { cwd, stdio: "inherit" });
       console.log(`\u2714 git submodule add ${repoArg} ${toolRel}`);
@@ -1857,7 +2052,7 @@ async function adoptWrapper(ctx) {
       }
     } : {}
   });
-  writeFileSync3(regPath, serializeConfig(nextReg));
+  writeFileSync4(regPath, serializeConfig(nextReg));
   console.log(
     `\u2714 ${existed ? "updated" : "registered"} "${name}" (external, dir ${toolRel}) in the wrapper manifest`
   );
@@ -1875,7 +2070,7 @@ async function adoptWrapper(ctx) {
     );
   }
   const providers = providersForTool({ lane, target, data });
-  if (existsSync6(join2(cwd, "infra/main.tf")) && providers.some((p) => p !== "cloudflare" && p !== "github")) {
+  if (existsSync7(join2(cwd, "infra/main.tf")) && providers.some((p) => p !== "cloudflare" && p !== "github")) {
     console.log(`\xB7 ensure infra/main.tf declares provider(s): ${providers.join(", ")}`);
   }
   materializeAgentKit(dest, { lane, target, data });
@@ -1927,9 +2122,9 @@ Next:
 }
 async function adoptStandalone(ctx) {
   const { name, repoArg, lane, target, data, auth, envs, domain, reg, regPath } = ctx;
-  const repo = resolve6(process.cwd(), repoArg);
-  if (!existsSync6(repo)) throw new Error(`no such repo: ${repo} (--standalone needs a local path)`);
-  const regVendor = resolve6(process.cwd(), "vendor");
+  const repo = resolve7(process.cwd(), repoArg);
+  if (!existsSync7(repo)) throw new Error(`no such repo: ${repo} (--standalone needs a local path)`);
+  const regVendor = resolve7(process.cwd(), "vendor");
   const vendor = vendorDeps(regVendor);
   if (Object.keys(vendor).length === 0) {
     throw new Error(
@@ -1947,15 +2142,15 @@ async function adoptStandalone(ctx) {
   );
   const slug = parseRepo(safeGit(repo, ["remote", "get-url", "origin"])) ?? `OWNER/${name}`;
   const pkgPath = join2(repo, "package.json");
-  const existingPkg = existsSync6(pkgPath) ? JSON.parse(readFileSync4(pkgPath, "utf8")) : null;
-  writeFileSync3(
+  const existingPkg = existsSync7(pkgPath) ? JSON.parse(readFileSync5(pkgPath, "utf8")) : null;
+  writeFileSync4(
     pkgPath,
     `${JSON.stringify(mergePackageJson(existingPkg, name, vendor), null, 2)}
 `
   );
   console.log("\u2714 package.json (merged framework deps + overrides)");
   const repoVendor = join2(repo, "vendor");
-  mkdirSync3(repoVendor, { recursive: true });
+  mkdirSync4(repoVendor, { recursive: true });
   for (const f of readdirSync(regVendor)) {
     if (f.endsWith(".tgz")) cpSync3(join2(regVendor, f), join2(repoVendor, f));
   }
@@ -1989,7 +2184,7 @@ async function adoptStandalone(ctx) {
     external: true,
     adopted: true
   });
-  writeFileSync3(regPath, serializeConfig(nextReg));
+  writeFileSync4(regPath, serializeConfig(nextReg));
   console.log(`\u2714 registered "${name}" in ${regPath.replace(`${process.cwd()}/`, "")} (external)`);
   console.log(`
 Next (in the adopted repo):
@@ -2002,20 +2197,20 @@ Note: deploying ${target} needs the ${target} adapter (workers is built; oci/ver
 }
 function addGreenlightScript(dir) {
   const pkgPath = join2(dir, "package.json");
-  if (!existsSync6(pkgPath)) {
+  if (!existsSync7(pkgPath)) {
     console.log(
       "\xB7 no package.json (non-Node tool) \u2014 run the loop via `npx @rtrentjones/greenlight`"
     );
     return;
   }
-  const pkg = JSON.parse(readFileSync4(pkgPath, "utf8"));
+  const pkg = JSON.parse(readFileSync5(pkgPath, "utf8"));
   pkg.scripts = { ...pkg.scripts ?? {} };
   if (pkg.scripts.greenlight) {
     console.log("\xB7 package.json already has a greenlight script");
     return;
   }
   pkg.scripts.greenlight = "npx @rtrentjones/greenlight";
-  writeFileSync3(pkgPath, `${JSON.stringify(pkg, null, 2)}
+  writeFileSync4(pkgPath, `${JSON.stringify(pkg, null, 2)}
 `);
   console.log("\u2714 package.json (greenlight script \u2014 runnable via npx post-publish)");
 }
@@ -2160,10 +2355,10 @@ async function deployCommand(args) {
 // src/commands/doctor.ts
 import { execFileSync as execFileSync4 } from "child_process";
 import { lookup } from "dns/promises";
-import { existsSync as existsSync7, readFileSync as readFileSync5, readdirSync as readdirSync2 } from "fs";
+import { existsSync as existsSync8, readFileSync as readFileSync6, readdirSync as readdirSync2 } from "fs";
 import { join as join4 } from "path";
 function dirCheck(label, dir) {
-  return existsSync7(dir) ? { name: `${label}: directory`, status: "ok" } : { name: `${label}: directory`, status: "fail", detail: `missing ${dir}` };
+  return existsSync8(dir) ? { name: `${label}: directory`, status: "ok" } : { name: `${label}: directory`, status: "fail", detail: `missing ${dir}` };
 }
 function conformanceChecks(t, root) {
   const out = [];
@@ -2173,7 +2368,7 @@ function conformanceChecks(t, root) {
     join4(toolDir, `verify/${t.name}.config.ts`),
     join4(toolDir, "verify.config.ts")
   ] : [join4(toolDir, "verify.config.ts")];
-  const found = specCandidates.find((p) => existsSync7(join4(root, p)));
+  const found = specCandidates.find((p) => existsSync8(join4(root, p)));
   out.push({
     name: `${t.name}: in the verify loop`,
     status: found ? "ok" : "warn",
@@ -2199,14 +2394,14 @@ function conformanceChecks(t, root) {
   }
   if (!t.external && t.lane === "next" && t.target === "vercel") {
     const wsPath = join4(root, "pnpm-workspace.yaml");
-    const ws = existsSync7(wsPath) ? readFileSync5(wsPath, "utf8") : "";
+    const ws = existsSync8(wsPath) ? readFileSync6(wsPath, "utf8") : "";
     const member = ws.includes(toolDir) || /^\s*-\s*["']?tools\/\*/m.test(ws);
     out.push({
       name: `${t.name}: pnpm workspace member`,
       status: member ? "ok" : "warn",
       detail: member ? void 0 : `add "${toolDir}" to pnpm-workspace.yaml \u2014 else Vercel's root install skips its deps`
     });
-    const hasVercelJson = existsSync7(join4(root, toolDir, "vercel.json"));
+    const hasVercelJson = existsSync8(join4(root, toolDir, "vercel.json"));
     out.push({
       name: `${t.name}: vercel.json framework`,
       status: hasVercelJson ? "ok" : "warn",
@@ -2220,7 +2415,7 @@ function versionDriftCheck(root) {
   let installed;
   try {
     const pkg = JSON.parse(
-      readFileSync5(join4(root, "node_modules/@rtrentjones/greenlight/package.json"), "utf8")
+      readFileSync6(join4(root, "node_modules/@rtrentjones/greenlight/package.json"), "utf8")
     );
     installed = pkg.version;
   } catch {
@@ -2228,7 +2423,7 @@ function versionDriftCheck(root) {
   const refs = /* @__PURE__ */ new Set();
   try {
     for (const f of readdirSync2(join4(root, "infra")).filter((f2) => f2.endsWith(".tf"))) {
-      const body = readFileSync5(join4(root, "infra", f), "utf8");
+      const body = readFileSync6(join4(root, "infra", f), "utf8");
       for (const m of body.matchAll(/greenlight\.git\/\/infra\/modules\/[^?"]+\?ref=(v[0-9.]+)/g)) {
         if (m[1]) refs.add(m[1]);
       }
@@ -2284,7 +2479,7 @@ function runDoctor(config, root) {
       checks.push({ name: `${t.name}: external (registry)`, status: "ok", detail: url });
       if (t.dir) {
         checks.push(
-          existsSync7(join4(root, t.dir)) ? { name: `${t.name}: dir present`, status: "ok", detail: t.dir } : {
+          existsSync8(join4(root, t.dir)) ? { name: `${t.name}: dir present`, status: "ok", detail: t.dir } : {
             name: `${t.name}: dir present`,
             status: "warn",
             detail: `declared dir "${t.dir}" missing \u2014 run \`git submodule update --init\``
@@ -2378,89 +2573,6 @@ ${failed === 0 ? "\u2714 no failures" : `\u2718 ${failed} failure(s)`}`);
 import { existsSync as existsSync9, mkdirSync as mkdirSync5, writeFileSync as writeFileSync5 } from "fs";
 import { resolve as resolve8 } from "path";
 import { createInterface as createInterface3 } from "readline/promises";
-
-// src/tokens.ts
-import { existsSync as existsSync8, mkdirSync as mkdirSync4, readFileSync as readFileSync6, writeFileSync as writeFileSync4 } from "fs";
-import { resolve as resolve7 } from "path";
-import { createInterface as createInterface2 } from "readline/promises";
-var SECRETS_DIR = ".greenlight";
-var SECRETS_FILE = "secrets.env";
-function presentEnv(cwd) {
-  const out = {};
-  const p = resolve7(cwd, SECRETS_DIR, SECRETS_FILE);
-  if (existsSync8(p)) {
-    for (const { key, value } of parseSecretsEnv(readFileSync6(p, "utf8"))) out[key] = value;
-  }
-  for (const [k, v] of Object.entries(process.env)) {
-    if (v !== void 0 && !(k in out)) out[k] = v;
-  }
-  return out;
-}
-function upsertSecret(cwd, key, value) {
-  const dir = resolve7(cwd, SECRETS_DIR);
-  mkdirSync4(dir, { recursive: true });
-  const p = resolve7(dir, SECRETS_FILE);
-  const lines = existsSync8(p) ? readFileSync6(p, "utf8").split("\n") : [];
-  const idx = lines.findIndex((l) => l.startsWith(`${key}=`));
-  if (idx >= 0) lines[idx] = `${key}=${value}`;
-  else {
-    while (lines.length && (lines[lines.length - 1] ?? "").trim() === "") lines.pop();
-    lines.push(`${key}=${value}`);
-  }
-  writeFileSync4(p, `${lines.join("\n").replace(/\n*$/, "")}
-`, { mode: 384 });
-}
-async function ensureTokensForTool(cwd, tool, opts = {}) {
-  const doVerify = opts.verify !== false;
-  const interactive = Boolean(process.stdin.isTTY);
-  const env = presentEnv(cwd);
-  const results = [];
-  const rl = interactive ? createInterface2({ input: process.stdin, output: process.stdout }) : null;
-  try {
-    for (const spec of tokensForTool(tool)) {
-      let value = env[spec.envVar];
-      if (value) {
-        results.push({ envVar: spec.envVar, outcome: "present" });
-      } else if (rl) {
-        console.log(`
-${spec.envVar} \u2014 ${spec.label}`);
-        if (spec.scopes?.length) console.log(`  scopes: ${spec.scopes.join(", ")}`);
-        const entered = (await rl.question(`  paste value${spec.optional ? " (optional, Enter to skip)" : ""}: `)).trim();
-        if (!entered) {
-          results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
-          continue;
-        }
-        upsertSecret(cwd, spec.envVar, entered);
-        env[spec.envVar] = entered;
-        value = entered;
-        results.push({ envVar: spec.envVar, outcome: "entered" });
-      } else {
-        results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
-        continue;
-      }
-      if (value && doVerify && spec.verify) {
-        let check;
-        try {
-          check = await spec.verify(value, env);
-        } catch (e) {
-          check = { ok: false, detail: e instanceof Error ? e.message : String(e) };
-        }
-        const last = results[results.length - 1];
-        if (last) last.verify = check;
-        if (!check.ok && !spec.optional) {
-          throw new Error(
-            `${spec.envVar} failed verification${check.detail ? ` (${check.detail})` : ""} \u2014 check the token's scopes (${spec.label}).`
-          );
-        }
-      }
-    }
-  } finally {
-    rl?.close();
-  }
-  return results;
-}
-
-// src/commands/init.ts
 function flag5(args, name) {
   const i = args.indexOf(name);
   return i >= 0 ? args[i + 1] : void 0;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rtrentjones/greenlight",
-  "version": "0.3.0",
+  "version": "0.3.1",
   "description": "Greenlight CLI — setup and lifecycle for the harness.",
   "license": "MIT",
   "repository": {
@@ -31,10 +31,10 @@
     "@anthropic-ai/sdk": "^0.69.0"
   },
   "devDependencies": {
-    "@rtrentjones/greenlight-adapters": "0.3.0",
-    "@rtrentjones/greenlight-loop": "0.3.0",
-    "@rtrentjones/greenlight-verify": "0.3.0",
-    "@rtrentjones/greenlight-shared": "0.3.0"
+    "@rtrentjones/greenlight-adapters": "0.3.1",
+    "@rtrentjones/greenlight-loop": "0.3.1",
+    "@rtrentjones/greenlight-shared": "0.3.1",
+    "@rtrentjones/greenlight-verify": "0.3.1"
   },
   "scripts": {
     "build": "node scripts/copy-assets.mjs && tsup",

package/templates/_template-agent/wrangler.toml

@@ -1,9 +1,11 @@
-# Agent Worker. `greenlight add` rewrites `name` (agent-tool → your tool) + the route domain
-# (example.dev → your domain). You still set the KV namespace id (create it once with
-# `wrangler kv namespace create STATE`) and the secrets:
-#   wrangler secret put GEMINI_API_KEY --env prod   (Google AI Studio key — free tier)
-#   wrangler secret put RUN_TOKEN --env prod         (any random string; bearer for POST /run)
+# Agent Worker. `greenlight add` rewrites `name` + the route domain + the account_id, and emits a
+# .github/workflows/deploy-<name>.yml that (on push to main) creates the KV namespace, deploys, sets
+# the GEMINI_API_KEY + RUN_TOKEN Worker secrets from GitHub secrets, seeds, and verifies. So you only
+# add those two GitHub secrets — no manual wrangler.
 name = "agent-tool"
+# Non-secret account id (committed config). `greenlight add` resolves + fills this from your domain's
+# zone; without it wrangler calls /memberships, which a scoped API token can't do.
+account_id = "REPLACE_WITH_CLOUDFLARE_ACCOUNT_ID"
 main = "src/index.ts"
 compatibility_date = "2025-06-01"